The Personal Information Protection Act, which went into force May 01, 2010, compels companies to notify their customers in the event of a breach. Both companies did so.

Best Buy and Air Miles proactively reported to the Commissioner that they had been notified by their service provider, Epsilon (a large US based third party marketing organization) that it had experienced a data breach in which 50 million or more email addresses were compromised and that its customers as well as customers of other organizations serviced by Epsilon had been affected. Best Buy and Air Miles had also proactively notified their affected members of the breach within a few days of learning about it.

Commissioner Work reviewed the incident reports by Best Buy and Air Miles and concluded that although the information at issue (name, email addresses and organization membership (in the Best Buy case) was relatively minor compared to other data breaches which involve the unauthorized access of financial or other sensitive information, the sheer magnitude of the breach and the evidence that the information will likely be used for malicious purposes indicated there was a real risk of significant harm to affected individuals. He noted in his decisions that Best Buy and Air Miles had already notified the affected customers in compliance with section 19.1 of the PIPA Regulation, and therefore did not require the organizations to notify again.

CAUCE congratulates both Best Buy and Air Miles, as well as Information and Privacy Commissioner of Alberta, Frank Work on their actions in this regard.

As always, our advice to consumers remains the same: If you received a notices from any company regarding the Epsilon breach, we suggest you change your email address immediately.

07 May 2011

End-users should be extremely careful clicking on any link, from both know and unknow sources (including this one) offering to show you gruesome pictures, proof of him being alive and so on. Spammers have followed their precitable pattern of launching massive campaigns capitalizing on bin Laden's death by email and on social networking sites like Facebook to get you to click through, and potentially infect your computer in the process.

02 May 2011

On May 3rd, 1978, a Digital Equipment Corporation (DEC) marketing representative named Gary Thuerk and a DEC engineer named Carl Gartley sent what many believe to be the first email spam. (The message was dated May 1st, but sent on May 3rd.) It advertised two events in California promoting the new DECsystem-20, the first DEC computer capable of connecting easily to the ARPAnet, predecessor to the internet. The message was addressed (by hand) to every ARPAnet user on the West Coast of the United States that they could find, but ran into an unexpected limit: the mail program would only accept 320 addresses. The rest of the addresses bled into the body of the message, and some recipients forwarded it on.

Scattered around the Internet today (and every May) you'll find various articles heralding the 33rd anniversary of spam, counting the years from Gary's message. They'll remark that spam has been with us a long time, maybe quote a few anti-spam vendor statistics, and say spam isn't going anywhere. But that's just bad research.

The ARPAnet and later the NSFnet were strictly non-commercial, both by contract and by social compact. Anyone who violated that got a stern talking-to, and could lose their access and get fired or expelled. So while there was indeed an occasional misstep, an occasional commercial message, they were very rare.

This changed in the mid-1990s, as the internet first became available to the general public. Commercial use was still hesitant, but increasing rapidly. Some of the early commercial users were entrepreneurs who are now considered geniuses; others were hucksters who are now in jail, or dead.

A common "get rich quick on the internet" scam was to sell books and kits for getting rich quickly on the internet. Often they were simply lists of ISPs by area code, some instructions paraphrased from The Internet for Dummies, and a few templates you could use to create your own web site. But there were also lists of email addresses and email blasting software — the unfortunate and unwelcome beginnings of both the email marketing industry and the ongoing malware epidemic.

Commercial use increased, and we have the internet we do today. Spam increased even faster. But that doesn't mean spam can't be controlled, and reduced. Every month there's another botnet taken down, another major bust by law enforcement — those used to happen maybe once a year, if we were lucky. There has never before in the history of the internet been so much focus on spam, malware, and other so-called "cybercrime" from so many different agencies, mostly (finally!) collaborating with each other. The internet won't return to the old, pre-commercial days, but it will get better.

And while it's true that the first bulk unsolicited commercial email was sent in 1978, there are stories of non-commercial mass messaging going back much further — such as the MIT user who transmitted, in 1971, the words "There is no way to peace. Peace is the way." Perhaps we should consider that the first Tweet?